TLS initialization and handshake

Edit online

Here are the details about the interactions between Telnet servers, clients, and Transport Layer Security (TLS).

What happens during TLS initialization?

The Telnet server attempts to initialize TLS each time the server is started and Telnet is configured to Allow Transport Layer Security (ALWSSL). During initialization, the Telnet server checks the certificate information in the QIBM_QTV_TELNET_SERVER application. You can tell that the TLS initialization is successful when more than one thread is running under the QTVTELNET job. Message CPDBCB3, TLS is not available for use, is issued if TLS is not configured or failed to start.

The Telnet server does not initialize TLS when you have a restricted telnet-ssl port. The Telnet server sends the TCP2550 message Access to port 992 is restricted to the QTVTELNET job log and to the QSYSOPR message queue.

When a certificate is incorrect or expired, initialization fails and the Telnet server sends message CPDBCnn to the QTVTELNET job log.

Even if no certificate or an expired certificate is in the QIBM_QTV_TELNET_SERVER application, the Telnet server successfully initializes TLS. However, the TLS handshake fails when the client tries to connect to the Telnet server. The Telnet server sends message CPDBC nn to the QTVTELNET job log.

What happens during TLS re-initialization?

When the certificate in the QIBM_QTV_TELNET_SERVER application changes, the Telnet server re-initializes TLS if a DCM change occurs. This means that you can replace an expired certificate or add or remove client certificates and Telnet picks up changes automatically. The process is the same as TLS initialization. New Telnet TLS client sessions use the new certificate. Telnet TLS client sessions that are already established use the original certificate. After the Telnet server is ended and started again, all Telnet TLS client sessions use the new certificate.

If the TLS re-initialization fails, established TLS sessions use the original certificate that was initialized when the server started and new sessions are blocked from connecting. The next time you start the Telnet server, TLS initialization fails, although there will still be an active TLS listener. However, no new TLS connections will be successful until a change in the DCM forces Telnet server to re-initialize successfully.

What happens during TLS handshake?

A TLS handshake occurs when the Telnet TLS client connects to TCP port 992 and attempts a TLS negotiation with the server. While the client is connecting to the server, it displays status numbers or messages on the status bar of the open window.

If the TLS handshake fails, the Telnet session is not established. For example, a sign-on screen does not appear in the Telnet TLS client window. Consult the user guide or online help for your Telnet TLS client for information about specific status numbers or messages. The Telnet server sends message CPDBCnn to the QTVTELNET job log.